Data Protection Act 1998

After nearly four and a half years at the University of Sunderland, I’m moving on to a new role at ORCID, as their Education & Outreach Specialist. For most of my time at UoS, I’ve been the E-Resources Librarian and the Law Librarian, which has been a very interesting combination of roles.

My participation in UKSG has grown from attending the 2013 conference (where I first heard about ORCID), the 2014 conference, being invited to join the UKSG Research & Innovation Sub-Committee, and then being elected to UKSG Committee. I’m looking forward to carrying on this role in my new job, and glad that ORCID is fully supportive of my involvement.

I would like to thank the colleagues who have helped to realise many of these projects, especially Rachel Webb and Ian Frost, trusty allies in periodicals and IT.

Lastly, there is some unfinished business concerning EBSCO EDS and Single Sign-On. Bref, EBSCO and Eduserv are proposing a change to how users log in to EDS, so that they will also immediately be logged in to their personal folders. This solution will appeal to libraries, as users often struggle with the current situation where you log in first to the system, and then again (with different credentials) to access your personal folders. However, this change involves sending users’ personal data outside the EU, and therefore has Data Protection implications. Here is my most recent communication to Eduserv on the matter, sent in advance of last week’s webinar “Approaches to authentication – evolution, security, options for the future”:

I would like to ask you about how the use of EDS and SSO fits with the Data Protection Act (1998) requirements that personal information used by organisations is not transferred outside the European Economic Area without adequate protection.
I have made this enquiry before have been told that it is up to the organisation to decide if EBSCO’s use of servers outside the EU complies with the DPA (really?). This respondent also quoted the Safe Harbor framework, appearing not to know of the EU Court of Justice decision in 2015 that the Safe Harbor regime did not provide a valid legal basis for EEA-US transfers of all types of personal data.
I wonder if someone at this webinar may be able to provide a better response. I urge Eduserv and EBSCO not to pass this matter back to individual organisations alone, but to offer some advice and guidance about the implications, especially as many library staff making decisions about implementing the EDS & SSO option may not be aware of the legal implications.

I have not yet had a response from them, and the recording of the webinar has not yet been released so I don’t know if it was addressed during the session.

Library colleagues, please be alert to the implications, keep asking Eduserv and EBSCO about this, and don’t let your users’ data be released without adequate legal and ethical safeguards.

OpenAthens Single Sign-On (SSO) is a SAML-compliant Shibboleth-type authentication method used for University login to a wide range of electronic resources.

SSO works by mediating between an identity provider (e.g. a university, checking that the user’s account is current), and a service provider (e.g. a database, to which the user’s university has a current subscription). Here’s a diagram of the data flow:

Authentication data flow. Image credit University of Florida.

Critically, the identity provider and the service provider don’t communicate directly. The user’s personal credentials are not transmitted to the service provider; just that their identity has been verified.

This means that when someone logs in to a database or journal platform, they are greeted by “Welcome, University of Sunderland user” or “You are logged in as University of Sunderland”, but the database or platform does not know anything further about their identity.

Why does this matter? Service providers’ servers may be located anywhere in the world, often outside the EU. The Data Protection Act 1998 controls how personal information is used by organisations, businesses or the government. It requires that data controllers (organisations etc) handle personal data according to people’s data protection rights, and do not transfer it outside the European Economic Area without adequate protection.

Recently, EBSCO have started promoting the use of an enhanced version of SSO which means that a user will be authenticated into EBSCO Discovery Service (EDS) and simultaneously logged in to their personal folders. This will sound very appealing to many EDS customers, as currently the personal folders require the user to log in (again) with their EBSCOhost account (yet another userID and password to remember). With the standard SSO setup, this would not be possible, so I started asking questions about what additional data exchange would be needed in order for the user to be individually identified.

Email from EBSCO:

Essentially the only requirement for setting up SSO is that your shibboleth releases a persistent unique ID. However we generally recommend releasing other attributes:

Only a unique user ID (e.g. employee ID, organization-specific email) is required to be sent in the SAML assertion. It is recommended that First Name, Last Name and Email also be sent to better support sharing and email from within the EBSCO user interface.

At the mention of persistent unique ID, I started to wonder about the data protection law implications.

I followed this up with a phone call, asking about compliance with data protection law. It seems that this query hadn’t previously arisen in the UK, though it had in Scandinavia where they are more aware of the issues. Safe Harbo(u)r was mentioned, but I pointed out that in 2015, the European Court of Justice declared invalid the Safe Harbor data-transfer agreement that had governed EU data flows across the Atlantic for some fifteen years. I was directed to EBSCO’s White Paper about information security, but it didn’t mention anything about data protection.

All data that is given to OpenAthens is stored here in the UK. We provide the option of mapping attributes out to various publishers however this is controlled and decided by you. The default information that is sent to authenticate the user does not hold any data that identifies the user personally.

To me, “this is controlled and decided by you” sounds very much like ducking the question.

I appreciate that decisions on the release of personal data are ultimately the responsibility of the data controller, but I am concerned that neither EBSCO nor OpenAthens seem to acknowledge the legal and ethical difficulties that this presents to libraries having to make these decisions. I believe that if they are advocating this enhanced use of SSO, they have a moral obligation to point out the data protection implications, even if they can’t advise libraries on these matters.

I would be grateful to hear from anyone who knows more about this – please leave me a comment. Thanks for any wisdom you can offer!

This is the first of two posts based on session I attended recently entitled What’s private and what’s public? Data Protection and Freedom of Information. This post does not constitute formal legal advice.

The Data Protection Act 1998 (DPA) is mostly concerned about information you must not disclose, whereas the Freedom of Information Act 2000 (FoI) covers information which you have an obligation to provide.

Personal data in libraries

In libraries, we hold information which is affected by the DPA, such as:

Info about students themselves and their use of libraries – where they’ve been, what they’ve borrowed, name, address, email etc ; as well as information about staff and possibly non-members of the University (external visitors)

Not be transferred outside the European Economic Area, unless the recipient country can ensure an adequate (equivalent) level of protection

How the University fulfils these criteria

Be processed fairly and lawfully – our processing is lawful because we undertake it in pursuit of the legitimate interests of our business, namely providing readers with books. The University of Oxford asks its members (and external readers) to sign their agreement to the University holding the data when they apply for their University Card. The agreement reads: “I understand that the information will be collected and processed according to the provisions of the Data Protection Act 1998”

Be held only for specified purposes – the University is registered for lending and hire, education and training; and these cover all activities relating to the access and borrowing privileges of readers. This also means that we can’t use readers’ data for purposes beyond this remit without their permission

Be adequate, relevant and not excessive – we only gather the data we need for library purposes

Be accurate and kept up-to-date – when a reader informs us of a change to their details, we must update their record promptly

Not be kept for longer than necessary – The main University Card database holds records indefinitely as people may return for further study or employment. However, once a reader’s record expires, their record is deleted from the library’s database

Be processed in accordance with the data subject’s rights – the data subject has the right to inspect the data we hold about them; and if they believe that something is wrong and/or that damage or distress is being caused, they have the right to prevent processing of data about them, to rectify, block or erase data and to sue for damage being caused

Be kept secure – we must not disclose personal data to unauthorised persons. Library staff are authorised persons because they are employees of the Data Controller. Take care with the angle of computer screens at enquiry desks so that readers can’t see personal info about other people. Don’t write passwords on notes kept by the computer. Ensure filing cabinets containing personal data are kept locked. Dispose of personal data securely (i.e. by shredding it). If students occupy a staff area, switch off computers immediately. It is good practice to lock computers [PC: Ctrl-Alt-Del and Enter] when not in use, even in staff-only areas

Not be transferred outside the European Economic Area, unless the recipient country can ensure an adequate (equivalent) level of protection – for example, the USA does not have such provisions. Take care over the location of your servers and cloud computing services. If using a site like SurveyMonkey, you might choose to state that “this data will be processed in the USA”

Sensitive data may only be recorded with the explicit consent of the person. If the person has disclosed some of this information to any one person in the University, the whole University is deemed to know, even though the info is secret and therefore probably not being passed on.

Who’s who

Data controller: person who determines the purposes for which and the manner in which any personal details are or are to be processed

Data processor: any person (other than an employee of the data controller) who processes the data on behalf of the data controller

Data subject: an individual who is the subject of personal data

CCTV

Information captured by a closed-circuit television system counts as personal data. People should know they are being recorded: have a notice displayed to let them know, with contact details in case anyone has any queries.

If a CCTV screen is on display to readers or other members of the public, it must be recording a view of the place where they are, not somewhere else.

You may only circulate images from CCTV to people who really need to know. Images may be passed to the police if they ask us to supply them.

Claims by data subjects

Data subjects can ask to see all our records relating to them – within 21 days, for a small admin fee. Therefore, only record what you are prepared for the data subject to see!

Only the data subject can ask, or their representative with written consent. Only living people have rights under the DPA. In supplying records, we must not breach others’ DPA rights. Always refer to the University’s DP officer if in doubt.